Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Filezilla's silent caching of user's credentials
From: Adnan Vatandas <adnan.vatandas () googlemail com>
Date: Thu, 14 Oct 2010 10:15:23 +0200

On 14.10.2010 08:39, Christian Sciberras wrote:

I still see this a simple matter of violating KISS to introduce a layer of
encryption.
The question is, to which end? Sure, an attacker might see the encrypted
file
and think it's "too difficult" for him to get to the passwords. Another
might use
a certain utility to decrypt the said file. The thing is, to which end are
we encrypting
the data? Just for the sake of making it work like the N other programs?
I mean, if this doesn't *work*, why even *bother*?

Doesn't look like KISS to me.

http://filezilla-project.org/client_features.php

Well, anyway. At least two reasons come to my mind why Filezilla
shouldn't store user credentials at all without asking the user.

First:
Here on the full-disclosure mailing list, the average poster certainly
has significantly more computer knowledge than the average filezilla
user (or computer user in general).
Noone questions the stupidity of putting whole Filezilla directories
online like the ones found on Google. But that's just how users
behave, and a computer program programmed for public use
should take this into account. For the same reason Mozilla Firefox
automatically choses encrypted connections when using the
"New Account Wizard". For the same reason Online Banking
automatically switches to SSL encrypted connections instead of
offering the customers an optional link to HTTPS.
Filezilla does not exactly follow the "do one thing and do it good"
Unix philosophy, so it wouldn't "break" the program or anything by
storing encrypted passwords. It could even store the credentials
securely the same way it stores them right now, just by offering the
user to chose a single master password.

Second:
"Stupid users who upload their own password files" is ONE example
where user credentials get into wrong hands.
What's about theft, loss or any other situation where strangers
get direct access to the machine?

You could still blame the user for loosing his notebook
or leaving it unattended or not encrypting it or using a computer
without being a computer expert in the first place, right?

-- 

Adnan Vatandas

http://adnanvatandas.wordpress.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault